Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
88s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/12/2022, 02:43
Static task
static1
Behavioral task
behavioral1
Sample
61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236.exe
Resource
win10v2004-20220812-en
General
-
Target
61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236.exe
-
Size
224KB
-
MD5
10c99fbf7e4a7b54db144c1bf906b530
-
SHA1
1e481c2a7c2c0cf80666fd2842aa2909678e5530
-
SHA256
61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236
-
SHA512
a724737bca6b7773139dc7409d142f13161fdfcd16d1814208ea9ca17b3d642b094a78eda8548df573487878558aa9b1f12b2f029b088e67560fd404927e9a81
-
SSDEEP
3072:G4gaOXfWRrIMNRlZ62Pal2LBJXmzOHm5WZ3K+MC55nG/bXmPy:GrXepp3PJXCOGY3eGnC7
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pieozeh.exe -
Executes dropped EXE 1 IoCs
pid Process 952 pieozeh.exe -
Loads dropped DLL 2 IoCs
pid Process 1808 61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236.exe 1808 61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /y" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /i" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /h" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /r" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /u" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /n" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /p" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /b" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /c" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /e" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /k" pieozeh.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /j" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /w" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /g" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /r" 61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /o" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /t" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /l" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /z" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /s" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /a" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /x" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /d" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /m" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /q" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /v" pieozeh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pieozeh = "C:\\Users\\Admin\\pieozeh.exe /f" pieozeh.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1808 61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe 952 pieozeh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1808 61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236.exe 952 pieozeh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1808 wrote to memory of 952 1808 61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236.exe 28 PID 1808 wrote to memory of 952 1808 61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236.exe 28 PID 1808 wrote to memory of 952 1808 61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236.exe 28 PID 1808 wrote to memory of 952 1808 61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236.exe"C:\Users\Admin\AppData\Local\Temp\61eca3bc4a14c239be754b47382aff8d96f8b9585aead672be640904f0274236.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\pieozeh.exe"C:\Users\Admin\pieozeh.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:952
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5f39511a64f1660977143eabda7431c39
SHA191141738a0de798dc80e52cbf95201f53824d239
SHA25638e6673d3b5db78b0d7190addbc85742c48be835db186b3603294ed3247c7af9
SHA5128429462c32b89641f5f9c04004d13505568931b7df1508727fd846537c38295ba2ec28f6d7e4cba465fe8a4f67d620429e8f0c955dd3352e314cd970f1d7eb29
-
Filesize
224KB
MD5f39511a64f1660977143eabda7431c39
SHA191141738a0de798dc80e52cbf95201f53824d239
SHA25638e6673d3b5db78b0d7190addbc85742c48be835db186b3603294ed3247c7af9
SHA5128429462c32b89641f5f9c04004d13505568931b7df1508727fd846537c38295ba2ec28f6d7e4cba465fe8a4f67d620429e8f0c955dd3352e314cd970f1d7eb29
-
Filesize
224KB
MD5f39511a64f1660977143eabda7431c39
SHA191141738a0de798dc80e52cbf95201f53824d239
SHA25638e6673d3b5db78b0d7190addbc85742c48be835db186b3603294ed3247c7af9
SHA5128429462c32b89641f5f9c04004d13505568931b7df1508727fd846537c38295ba2ec28f6d7e4cba465fe8a4f67d620429e8f0c955dd3352e314cd970f1d7eb29
-
Filesize
224KB
MD5f39511a64f1660977143eabda7431c39
SHA191141738a0de798dc80e52cbf95201f53824d239
SHA25638e6673d3b5db78b0d7190addbc85742c48be835db186b3603294ed3247c7af9
SHA5128429462c32b89641f5f9c04004d13505568931b7df1508727fd846537c38295ba2ec28f6d7e4cba465fe8a4f67d620429e8f0c955dd3352e314cd970f1d7eb29